Following last month’s seizure of a couple of its VPN (opens in new tab) servers in Ukraine, security tools provider WindScribe (opens in new tab) shockingly revealed that the seized servers weren’t encrypted.
While WindScribe contends that no user data is at risk since it doesn’t log any activities, the unencrypted server had an OpenVPN (opens in new tab) server certificate along with its private key.
In a blog post (opens in new tab) Windscribe’s founder Yegor Sak admits that anyone with the private keys could have impersonated the Windscribe servers to capture and decrypt traffic passing through them.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- Here’s our list of the best VPN services (opens in new tab)
- These are the best VPN services for Windows 10 (opens in new tab)
- Also take a look at our roundup of the best VPN services for Mac devices (opens in new tab)
“Although we have encrypted servers in high sensitivity regions, the servers in question were running a legacy stack and were not encrypted. We are currently enacting our plan to address this,” wrote Sak.
According to Sak, the seized servers were part of an old investigation into an activity that occurred over a year ago.
While sharing the plans to address the incident and improve Windscribe’s OpenVPN infrastructure, Sak revealed that their OpenVPN server and client configuration used the compress parameter.
By Sak's own admission, the compress parameter was deprecated in 2018 after security researchers revealed that it could be exploited to allow adversaries to decrypt data.
For its part though, Windscribe has assured that it has “no reason to believe” that the servers were compromised or that any unauthorized access took place before the seizure.
Furthermore, Sak has promised to get their replacement server stack audited by a third-party to ensure it is completely sound.
- We’ve also rounded up the best business VPN services (opens in new tab)